Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12283
Views
1
Helpful
2
Replies

Packet capture in. N9k

Go to solution
thiru.vel10
Level 1
Level 1

‎02-21-2023 08:15 PM

Could anyone share guide to capture interface packet in and out in n9k

like monitor captur

using ethanalyzer 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎02-22-2023 08:54 AM

Hello!

You can use the Ethanalyzer tool to capture control plane traffic on Nexus 9000 series switches (as well as any Cisco Nexus switch of any model). The troubleshooting guide for Ethanalyzer can be found here, which is a good starting point to learn the command line syntax of the tool. For more practical examples, you can reference this document, which is primarily written for the Nexus 7000 series switches, but is highly applicable to all other models of Nexus switches too.

To capture data plane traffic, you have a few different options depending on the specific model/generation of Nexus 9000 series switch.

  • All Nexus 9000 series switches support both the SPAN and ERSPAN features.
    • SPAN replicates data plane traffic that ingresses or egresses one or more interfaces to a "monitor interface" on the switch, allowing a connected host (such as a server, laptop, etc.) to monitor traffic using a capture tool like Wireshark. The configuration guide for SPAN can be found here.
    • ERSPAN also replicates data plane traffic that ingresses or egresses one or more interfaces, but encapsulates the data plane traffic in an IP-based ERSPAN header. The traffic is then sent to a remote host that owns that IP, which usually uses a capture tool like Wireshark to decapsulate the ERSPAN-encapsulated data plane traffic and analyze the data plane traffic. The configuration guide for ERSPAN can be found here.
    • Nexus 9000 series switches utilizing a Cloud Scale ASIC can replicate data plane traffic that ingresses or egresses one or more interfaces to the supervisor/control plane for inspection using the Ethanalyzer control plane packet capture tool. This feature is known as "SPAN-to-CPU". Although it is heavily rate limited, it can be useful to easily validate a particular flow of traffic is traversing the data plane of the switch without needing a capture host connected to the switch or stood up elsewhere in the network. Details about this feature can be found in the Nexus 9000 Cloud Scale ASIC NX-OS SPAN-to-CPU Procedure document. Note that this feature is not supported on first-generation Nexus 9000 series switches, which do not use Cisco's Cloud Scale ASIC.
    • This is not quite a data plane packet capture feature, but Nexus 9000 series switches utilizing a Cloud Scale ASIC can analyze the forwarding decision made on a single packet with specific characteristics (e.g. source IP address, destination IP address, IP protocol, etc.). The results of the forwarding decision (egress interface, egress VLAN, etc.) are then returned to the user. This feature is called the Embedded Logic Analyzer Module, or "ELAM" for short. Details about how to use this feature can be found in the Nexus 9000 Cloud Scale ASIC (Tahoe) NX-OS ELAM document. Note that this feature is not supported on first-generation Nexus 9000 series switches, which do not use Cisco's Cloud Scale ASIC.

I hope this is helpful - thank you!

-Christopher

View solution in original post

2 Replies 2

Go to solution
marce1000
VIP
VIP

‎02-21-2023 11:28 PM

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-4/configuration_guide/nmgmt/b_174_nmgmt_9300_cg/configuring_packet_capture.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎02-22-2023 08:54 AM

Hello!

You can use the Ethanalyzer tool to capture control plane traffic on Nexus 9000 series switches (as well as any Cisco Nexus switch of any model). The troubleshooting guide for Ethanalyzer can be found here, which is a good starting point to learn the command line syntax of the tool. For more practical examples, you can reference this document, which is primarily written for the Nexus 7000 series switches, but is highly applicable to all other models of Nexus switches too.

To capture data plane traffic, you have a few different options depending on the specific model/generation of Nexus 9000 series switch.

  • All Nexus 9000 series switches support both the SPAN and ERSPAN features.
    • SPAN replicates data plane traffic that ingresses or egresses one or more interfaces to a "monitor interface" on the switch, allowing a connected host (such as a server, laptop, etc.) to monitor traffic using a capture tool like Wireshark. The configuration guide for SPAN can be found here.
    • ERSPAN also replicates data plane traffic that ingresses or egresses one or more interfaces, but encapsulates the data plane traffic in an IP-based ERSPAN header. The traffic is then sent to a remote host that owns that IP, which usually uses a capture tool like Wireshark to decapsulate the ERSPAN-encapsulated data plane traffic and analyze the data plane traffic. The configuration guide for ERSPAN can be found here.
    • Nexus 9000 series switches utilizing a Cloud Scale ASIC can replicate data plane traffic that ingresses or egresses one or more interfaces to the supervisor/control plane for inspection using the Ethanalyzer control plane packet capture tool. This feature is known as "SPAN-to-CPU". Although it is heavily rate limited, it can be useful to easily validate a particular flow of traffic is traversing the data plane of the switch without needing a capture host connected to the switch or stood up elsewhere in the network. Details about this feature can be found in the Nexus 9000 Cloud Scale ASIC NX-OS SPAN-to-CPU Procedure document. Note that this feature is not supported on first-generation Nexus 9000 series switches, which do not use Cisco's Cloud Scale ASIC.
    • This is not quite a data plane packet capture feature, but Nexus 9000 series switches utilizing a Cloud Scale ASIC can analyze the forwarding decision made on a single packet with specific characteristics (e.g. source IP address, destination IP address, IP protocol, etc.). The results of the forwarding decision (egress interface, egress VLAN, etc.) are then returned to the user. This feature is called the Embedded Logic Analyzer Module, or "ELAM" for short. Details about how to use this feature can be found in the Nexus 9000 Cloud Scale ASIC (Tahoe) NX-OS ELAM document. Note that this feature is not supported on first-generation Nexus 9000 series switches, which do not use Cisco's Cloud Scale ASIC.

I hope this is helpful - thank you!

-Christopher

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card